Lockdown windows 7

[ricki]

Hi Everyone

I am currently running a windows 2003 domain with windows xp clients, but am testing one windows 7 machine to see how it compares with our current hardware and software.

I know I should upgrade the domain to windows 2008 before rolling windows 7 out but for testing I am ok.

What settings have people used to secure the windows 7 machines and will adding extra settings to the users policies affect the users when they log onto windows xp machines.

Thanks for all your help.

Richard

[kennysarmy]

I am interested in this too.....

and also in what cons there are to running windows 7 still under 2003?

[Potato-Peeler]

I have been told that without server 2008 a number of group policy issues will appear, and without server 2008 r2 you cant use vb logon scripts with windows 7.

[SYNACK]

I use seporate policies for XP and 7 because it is much easier. Just use a WMI filter for each of the user assigned policies.

If you have already deployed Vista then just update those policies. If you are comming from XP there is so much more in them that it is better to start from scratch as otherwise you can end up with crazy defaults.

If you have some XP machines remaining then use a WMI filter on the user GPO policies to filter out just the XP and Just the 7 ones so that it all works together smoothly - a seporate user policy for 7 /Vista and XP.

Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"

http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx

I have two separate policies for users which are filtered by which OS the user is logged in with. If they are logged in to an XP box they get one setup and if Vista a completely different policy. I found that much of the stuff that I set up for XP simply made stuff more tricky in Vista hence the separation.

I have the Vista machines in completely separate containers so I don't need the filter on the machine polices but as the users are all in the same place and can log in to either I set up the filtering.

James.Random() : How to detect Vista and Longhorn with WMI Filters
RE: Exclude Vista from GPO - ReadList.com

As to using 2003 server so long as you update the central policy share in sysvol it works fine as I have a client setup this this. They were limited in uprade path by some especially helpful education software

Just dump RSAT (below) on your system and you can configure them through the group policy managment snapin that it installs
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

You can also create a policy store if it is not there already to make the whole thing more efficient and centralize the templates
Creating a Group Policy Central Store for Windows Vista and Server 2008

[cookie_monster]

You can manage Windows 7 boxes on a Server 2003 domain but you must manage the GPO's from a Windows 7 box with the admin tools installed. You don't 'have' to use the central store either.

Take a look at the An Alternative to the Central Store section in the link below. This is a good article on this subject.

http://blogs.technet.com/askds/archi...ral-store.aspx

As it states you can have a 2003 or 2008 domain and manage your Windows 7 boxes from either a Windows 7 machine or even better a 2008 R2 box with the admin tools installed, then you just connect to this via RDP when you want to manage GPO's.